Juniper SRX240和EX2200网络
Juniper SRX240和EX2200网络
提问于 2015-04-06 04:54:24
我不是网络工程师,所以这肯定是个问题。
我的任务很简单,我需要所有的客户都能上网。这两个EX2200之前都被配置为第二层交换机,所以我假设它们的配置很好。
在SRX240上,我能够建立互联网接入。如果我把我的笔记本电脑连接到它,网络就能正常工作。但是与EX2200的连接不起作用。我尝试了不同的网络指南,但似乎没有任何效果。
我应该如何配置SRX240,以便所有EX2200客户端都可以访问internet。理想情况下,我希望所有客户端都能从SRX240 DHCP获得ip,并且在同一个子网中。
当前配置
SRX240
version 11.2R4.3;
system {
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.152.129;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}EX2200 - 24
version 11.4R7.5;
system {
ports {
console {
log-out-on-disconnect;
type vt100;
}
}
login {
user admin {
uid 2000;
class super-user;
}
}
services {
ssh {
root-login allow;
}
telnet;
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
vlan {
unit 10 {
family inet {
address 192.168.1.2/24;
}
}
unit 100 {
family inet {
address 10.129.152.135/25;
}
}
}
}
snmp {
community school-ro {
authorization read-only;
clients {
10.143.255.0/24;
}
}
trap-group ESMA {
targets {
10.143.255.2;
10.143.255.6;
10.143.255.10;
10.143.255.14;
10.143.255.42;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.152.129;
}
}
protocols {
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
management {
vlan-id 10;
l3-interface vlan.10;
}
private-eth {
vlan-id 20;
}
public-eth {
vlan-id 30;
}
wan {
vlan-id 100;
l3-interface vlan.100;
}
}回答 1
Network Engineering用户
回答已采纳
发布于 2015-04-06 09:28:23
为了回答这个问题,我将逐个检查你的配置。
您的SRX240配置基本上是正确的,并且应该工作,但有一个小问题,即您的WAN/Internet接口(ge-0/0/0)似乎在使用DHCP:
SRX:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
[...]当您已经定义了一个默认网关时:
SRX:
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.152.129;
}
}您的默认网关可能是由DHCP提供的,因此您可能不需要/不想静态地定义它。但是,如果dhcp地址/net掩码中没有10.129.152.129,那么JunOS可能会忽略它,而且由于您还说在直接插入SRX时您能够成功地获得互联网连接,这可能不会造成问题。要消除这种清洁度,在SRX240上发出以下命令:
SRX:
configure
delete routing-options static
commit打开开关。您没有告诉我们SRX240上的哪个端口连接到EX2200上的哪个端口,所以这很难回答,但是根据配置,我可以推断出您的WAN/Internet链接在SRX240上是ge-0/0/0,并且至少有一个交换机被插入到SRX上的其他接口之一(ge-0/0/1到15)。
使用您提供的配置(只用于EX2200-24,而不是EX2200-48),只要端口ge-0/0/0到21连接到SRX,您的拓扑就应该工作。但是,如果SRX插入EX上的端口22或23,则会出现问题,因为这些端口处于主干模式,而SRX没有配置或期望VLAN标记的以太网帧。
例:
interfaces {
[...]
ge-0/0/22 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
[...]另外,如果您真正想要的只是一个平面的L2拓扑,那么您有一些不需要的配置:
例:
ge-0/0/XX {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}和
例:
vlans {
management {
vlan-id 10;
l3-interface vlan.10;
}
private-eth {
vlan-id 20;
}
public-eth {
vlan-id 30;
}
wan {
vlan-id 100;
l3-interface vlan.100;
}
}和
例:
interfaces {
[...]
vlan {
unit 10 {
family inet {
address 192.168.1.2/24;
}
}
unit 100 {
family inet {
address 10.129.152.135/25;
}
}
}您可以看到多个IP地址、vlans等配置。为了回到最基本的L2功能,我们应该删除一些旧的不必要的配置(只要您确信这是您的网络,并且您不是违背您的网络管理员意愿的流氓)。
例:
configure
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
delete interfaces ge-0/0/16
delete interfaces ge-0/0/17
delete interfaces ge-0/0/18
delete interfaces ge-0/0/19
delete interfaces ge-0/0/20
delete interfaces ge-0/0/21
delete interfaces ge-0/0/22
delete interfaces ge-0/0/23
set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/1.0 family ethernet-switching
set interfaces ge-0/0/2.0 family ethernet-switching
set interfaces ge-0/0/3.0 family ethernet-switching
set interfaces ge-0/0/4.0 family ethernet-switching
set interfaces ge-0/0/5.0 family ethernet-switching
set interfaces ge-0/0/6.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching
set interfaces ge-0/0/8.0 family ethernet-switching
set interfaces ge-0/0/9.0 family ethernet-switching
set interfaces ge-0/0/10.0 family ethernet-switching
set interfaces ge-0/0/11.0 family ethernet-switching
set interfaces ge-0/0/12.0 family ethernet-switching
set interfaces ge-0/0/13.0 family ethernet-switching
set interfaces ge-0/0/14.0 family ethernet-switching
set interfaces ge-0/0/15.0 family ethernet-switching
set interfaces ge-0/0/16.0 family ethernet-switching
set interfaces ge-0/0/17.0 family ethernet-switching
set interfaces ge-0/0/18.0 family ethernet-switching
set interfaces ge-0/0/19.0 family ethernet-switching
set interfaces ge-0/0/20.0 family ethernet-switching
set interfaces ge-0/0/21.0 family ethernet-switching
set interfaces ge-0/0/22.0 family ethernet-switching
set interfaces ge-0/0/23.0 family ethernet-switching
delete interfaces vlan.100
delete vlans
delete snmp
rename interfaces vlan.10 to unit 0
set vlans default l3-interface vlan.0
set vlans default vlan-id 1
delete routing-options
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
commit上面的命令执行以下操作:
- 清除开关上每个接口的当前配置。
- 为每个相同的接口创建新的空白/默认配置
- 清除vlan 100上可能未使用的IP地址
- 删除SNMP配置(这与您声明的目标无关)
- 将所有内容合并到默认的VLAN (如果没有指定其他VLAN,则所有接口都自动成为" default“的成员)。
- 将Management更改为默认的VLAN,就像通常在工厂更新的JunOS安装上一样
- 将默认网关设置为防火墙,这在此拓扑中并不是绝对必要的,因为在这种情况下,EX只是充当第二层交换机,但如果一切正常,至少您可以从交换机中选择internet上的主机。
您可能希望对EX2200-48进行类似的配置,但希望您能够查看上面的命令并执行类似的过程。如果您像我所描述的那样将拓扑夷为平地,您的所有客户端都将从SRX240获得他们的IP地址,并将获得互联网接入。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/17713
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号